3 Answers
3

Obviously, there is not one correct answer to this, but here are my thoughts on it:

It is an advantages for an attacker to have the source code. Black-Box testing/attacking is - for obvious reasons - harder. Knowing how things work exactly is always better than guessing how they might work. Also, tools that search the source for possible vulnerabilities, well they require the source ;)

But releasing the source also has advantages (at least in theory). More people will read the source code and bugs relevant to the security of the program will surface faster.
This is obviously only an advantages under two conditions:
1. People actually DO read the source code and report issues.
2. The developers fix the issues in a timely manner.
Both points are somewhat controversial. People behind the open source idea often suggest that point 1. happens a lot (which I am not that sure of) and practice shows that point 2. is not followed by many developers (however, if the vulnerability was published openly, any user is at least aware of it and can act accordingly).

So to summaries, it is definitely an advantage for an attacker to have the source code, but the more people review the source, the more bugs are hopefully fixed.

So in answer to my bolded question, it is an advantage, but not for long providing you keep updating to the latest version of the source (and the crowd actually fix the vulnerabilities). Have I got that about right?
–
George DuckettMar 29 '12 at 13:08

@George Basically, yes. Knowing the source makes attacks easier for the attacker, but the developers might decide to publish the source anyway as the security of it improves overall (and thus, the benefits outweight). And keeping to the newest version of anything is always a good idea for the end user.
–
timMar 29 '12 at 13:16

The key here is that with closed source code, the onus is on protecting that code - attackers may try to steal the code, reverse engineer it, or just attack it. The internal processes should be designed to identify vulnerabilities and fix them, but the numbers are quite skewed:

Attackers: many Defenders: few

With open source code, there is a slightly increased risk that the attackers may identify new vulnerabilities, but importantly you end up with many more potential defenders identifying code vulnerabilities and informing the code writers:

Attackers: many Defenders: many

Have a look at this question comparing open and closed source as it may answer all your questions. If it does, we can close this one as a dupe.

"It is always possible to get the source code to a closed application." pls shed some light
–
KarthikApr 2 '12 at 6:46

1

I'm assuming he means things such as social manipulation, malware on developer's PCs, getting a job and walking away with the source, security breaches, .NET decompilation or any number of alternative ways that source gets leaked.
–
StrangeWillApr 3 '12 at 15:10